Gates says technology's biggest challenge is keeping data secure

SAN FRANCISCO -- Microsoft spread word of several new and evolving security and identity management efforts today in public e-mail and a keynote speech here by Chairman Bill Gates and strategy chief Craig Mundie, as well as a string of product announcements.

Gates told an audience of about 4,000 information security professionals gathered for the 16th RSA Conference this week that Microsoft had recently passed two major security milestones.

Five years ago, Gates sent around one of his course-changing e-mail memos to the company, focusing Microsoft on "Trustworthy Computing." One result of that shift was a change to the company's software engineering process to build security into its products from the beginning.

The other milestone was last week's broad launch of Windows Vista, the first Microsoft operating system to be built under the new security-focused regime and billed as Microsoft's most secure offering to date.

"It's a platform that not only has advances in security, it's a platform with a lot of rich capabilities that people can build on top of," Gates said.

Not everyone was thrilled with Microsoft's growing push into the security business.

John Thompson, chairman and CEO of Symantec, took the stage shortly after Gates and implied that buying security software from the company that makes the operating system running most of the world's computers is not a good idea.

"No company is so dominant or so all-knowing that it can provide the level of confidence needed throughout the entire online world," Thompson said. "More than that, who would trust one company to do all of this and everything for them?

"Think about it: You wouldn't want the company that is keeping your books to audit your books. That same logic should apply. You wouldn't want the company that created your company's operating platform to be the one that's securing it from a broad range of threats. It's a huge conflict of interest."

Symantec was one of a number of large security companies to squabble with Microsoft last fall over access to elements of Vista used in building security software. It makes products that compete directly with new security offerings from Microsoft.

In response to complaints from rivals, Microsoft made some changes.

Gates and Mundie stuck to the big picture, talking about broad changes in network infrastructure leading to better security and management of online identities in the future.

In the past corporate information systems were built with the basic premise that everyone accessing them would be "good" and "we knew who they were," Mundie said.

"They were in our company and as long as we were secure at that boundary of our enterprise, life was pretty good," he said. "And then along came the Internet and it poked a lot of holes through that barrier that we had at the edge."

The executives said that the industry has to improve security in several ways to make possible the advance of what Microsoft calls "connected experiences" -- the idea of getting access to information and content anywhere, from any device connected to the Internet.

The company is helping to push a vision for how this will be accomplished.

It said it's joining one of its efforts for establishing a user's secure online identity, CardSpace, with OpenID 2.0, described as an "open, decentralized, free framework for user-centric digital identity." CardSpace is built in to Windows and makes possible various levels of identity disclosure for online transactions.

Microsoft made other security-related announcements Monday.

Identity Lifecycle Manager 2007, due out in May, is designed to help companies manage things like smart cards and certificates that establish online identity.

Forefront Server Security Management Console, released in a test form, is another in Microsoft's line of business security products.

Internet Explorer 7, the company's new Web browser, now has a site security certificate feature enabled. This previously announced capability turns the address bar green when a Web site has a valid security certificate from one of a dozen authorities.

The company's Phishing Filter will now draw on data about nefarious sites from four additional sources: Australian Computer Emergency Response Team (AusCERT), BrandProtect, MySpace.com and Netcraft. The filter previously got its data from at least five other outside sources.

Benjamin J. Romano: 206-464-2149 or bromano@seattletimes.com